Page 1 of 1

Login System

Posted: Mon Apr 30, 2007 5:56 am
by pcoder
Hi,
It is really very difficult to develop secure login system.
I have made one login system , with the help of this forum  i want to check whether it is secure or
not. I have posted all the related code. Is there any possible for sql injection. If not what will be the best method
to make it more secure.
 

Code: Select all

 
<? 
 
if($_SERVER['REQUEST_METHOD']=="POST"){
    $usrname = $_POST['myuserid'];
    $password = trim($_POST['mypassword']);
    using('PIS.Logger');
    $objLogger = new Logger;
    $objLogger->login($usrname);
    $data = $objLogger->dbFetchArray(1);
    if(isset($data['USR_NAME']) && $data['USR_NAME'] == $usrname){
        if(isset($data['PWD']) && $data['PWD'] == $password){
            if(isset($data['STATUS']) && $data['STATUS'] == 'E'){
                $_SESSION['privillage'] = $data['PREVILAGE'];               
                _Redirect("content/personnel_detail.php?List&tm=1");
            }
            else{
                $_SESSION['err_msg'] = 'User Disabled';
            }
        }
        else{
            $_SESSION['err_msg'] = 'Password Mismatch';
        }
    }
    else{
        $_SESSION['err_msg'] = 'Invalid Username';
    }
}
?>
--------------------------------------------------------------------------------------------
    function login($uid){
        $sql = "SELECT usr_name,pwd,status,PREVILAGE FROM usr WHERE USR_NAME='".$uid."'";
        //echo $sql;
        return  $this->dbQueryReturn($sql);
    }
 
 
 

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Mon Apr 30, 2007 9:56 am
by Zu
What would happen if, say, $uid contained:

Code: Select all

evil_user'; DROP TABLE usr;--
mysql_real_escape_string()

Posted: Tue May 01, 2007 3:04 am
by pcoder
It displays invalid username message.

Posted: Tue May 01, 2007 3:37 am
by John Cartwright
Sure it will display an invalid error, however the point is that sql code can be injected into the query string unless you, at minimum, pass all input through mysql_real_escape_string() and trim()